Frank shows you how to
update the encryption key
used by an RDS instance


How can I update the encryption key used by my Amazon Relational Database Service (Amazon RDS) instance so that it uses a new encryption key?

You can't change the encryption key used by an Amazon RDS instance. However, you can create a copy of the instance and then choose a new encryption key for the copy.

To create a copy of a DB instance with a new encryption key, follow these steps:

  1. Create a manual snapshot of your DB instance.
  2. Open the Amazon RDS console, and then choose Snapshots from the navigation pane.
  3. Choose your snapshot, choose Actions, and then select Copy Snapshot.
    Note: Be sure to choose Enable encryption.
  4. For Master key, choose the new encryption key that you want to use.
  5. Restore the copied snapshot.

The new DB instance uses your new encryption key. If you no longer need the old DB instance, you can delete the instance. But before you delete the old instance, confirm that your new database has all necessary data and is successfully integrated into your application.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-02-02

Updated: 2019-01-11